19. Cloud Computing
Cloud Security Control Layers
1. Application - SDLC, Binary analysis, Scanners, Web app firewalls, Transaction Sec 2. Information - DLP, CMF, Database activity monitoring, encryption 3. management - GRC, IAM, VA/VM, Patch management, Configuration management monitoring 4. Network - NIDS/NIPS, Firewalls, DPI, Anti-DDoS, QoS, DNSSEC, OAuth 5. trusted computing - hardware and software RoT and APIs 6. computer and storage - host-based firewall, HIDS/HIPS, integrity and file/ log management, encryption, masking 7. physical - physical plant security, CCTV, Guard
Deterrent Control
A control that attempts to discourage security violations before they occur send warning messages to the attackers to discourage an intrusion attempt. These controls reduce attacks on the cloud system
Domain Name System (DNS) Attacks
A domain name system (DNS) server translates a human-readable domain name (e.g., www.google.com) into a numerical IP address that routes communications between nodes. The attacker performs DNS attacks to obtain authentication credentials from Internet users Types o DNS Poisoning: Involves diverting users to a spoofed website by poisoning the DNS server or the DNS cache on the user's system o Cbersquatting: Involves conducting phishing scams by registering a domain name that is similar to a cloud service provider. o Domain Hijacking: Involves stealing a cloud service provider's domain name. o Domain Snipping: Involves registering an elapsed domain name.
Cloud Auditor
A party that performs an independent examination of cloud service controls with the intent of expressing an opinion thereon. Audits verify adherence to standards through a review of the objective evidence.
Cloud Consumer
A person or organization that maintains a business relationship with cloud service providers and uses cloud computing services services available for them on each platform o PaaS - database, business intelligence, application deployment, development and testing, and integration o IaaS - storage, services management, CDN (content delivery network), platform hosting, backup and recovery, and compute o SaaS - human resources, ERP (Enterprise Resource Planning), sales, CRM (Customer Relationship Management), collaboration, document management, email and office productivity, content management, financials, and social networ
Cloud Provider
A person or organization who acquires and manages the computing infrastructure intended for providing services (directly or via a cloud broker) to interested parties via network access
Advantages and Disadvantages of IaaS
Advantages: o Dynamic infrastructure scaling o Guaranteed uptime o Automation of administrative tasks o Elastic load balancing (ELB) o Policy-based services o Global accessibility Disadvantages: o Software security is at high risk (third-party providers are more prone to attacks) o Performance issues and slow connection speed
Advantages and Disadvantages of SaaS
Advantages: o Low cost o Easier administration o Global accessibility o Compatible (no specialized hardware or software is required) Disadvantages: o Security and latency issues o Total dependency on the Internet o Switching between SaaS vendors is difficult
Advantages and Disadvantages of PaaS
Advantages: o Simplified deployment o Prebuilt business functionality o Lower risk o Instant community o Pay-per-use model o Scalability Disadvantages: o Vendor lock-in o Data privacy o Integration with the rest of the system applications
Private Cloud
Also known as internal or corporate cloud, is a cloud infrastructure that a single organization operates solely. o Advantages: -• Enhance security (services are dedicated to a single organization) -• More control over resources (organization is in charge) -• Greater performance (deployed within the firewall, therefore data transfer rates are high) -• Customizable hardware, network, and storage performances organization owns -• Sarbanes Oxley, PCI DSS, and HIPAA compliance data is much easier to attain o Disadvantages: -• Expensive -• On-site maintenance
Cloud Broker
An entity that manages cloud services regarding use, performance, and delivery, and maintains the relationship between CSPs and cloud consumers Provides these services o Service Intermediation -Improves a given function by a specific capability and provides value-added services to cloud consumers. o Service Aggregation -Combines and integrates multiple services into one or more new services. o Service Arbitrage -Similar to service aggregation, but here the services being aggregated are not fixed (cloud broker has the flexibility to choose services from multiple agencies)
Wrapping Attack
Attack is performed during the translation of SOAP message in the TLS layer where attackers duplicate the body of the message and send it to the server as a legitimate user.
Side Channel Attacks or Cross-guest VM Breaches
Attacker compromises the cloud by placing a malicious virtual machine near a target cloud server and then launch side channel attack. In this attack, the attacker runs a virtual machine on the same physical host of the victim's virtual machine and takes advantage of shared physical resources (processor cache) to steal data (cryptographic key) from the victim.
Session Hijacking using Session Riding
Attackers "ride" an active computer session by sending an email or tricking users to visit a malicious webpage, during login, to an actual target site. When users click the malicious link, the website executes the request as if the user had already authenticated it.
Abuse and Nefarious Use of Cloud services
Attackers create anonymous access to cloud services and perpetrate various attacks such as: password and key cracking building rainbow tables CAPTCHA solving farms launching dynamic attack points hosting exploits on cloud platforms hosting malicious data botnet command or control DDoS
SQL Injection Attacks
Attackers insert malicious code (generated using special characters) into a standard SQL code to gain unauthorized access to a database and ultimately to other confidential information. It generally occurs when an application uses the input to construct dynamic SQL statements
Platform-as-a-Service (PaaS)
DEVELOPERS This type of cloud computing service offers the platform for the development of applications and services. Subscribers need not to buy and manage the software and infrastructure underneath it but have authority over deployed applications and perhaps application hosting environment configurations. Offers development tools, configuration management, and development platforms on demand that can be used by subscribers to develop custom applications
Data Breach/ Loss
Data is erased, modified or decoupled Encryption keys are lost, misplaced or stolen
Software as a Service (SaaS)
END CUSTOMERS Offers software to subscribers on demand over the internet
Service Hijacking using Social Engineering Attacks
In account or service hijacking, an attacker steals a CSP's or client's credentials by methods such as phishing, pharming, social engineering, and exploitation of software vulnerabilities. A nontechnical kind of intrusion that relies heavily on human interaction and often involves tricking others to break routine security procedures
Public Cloud
In this model, the provider makes services such as applications, servers, and data storage available to the public over the Internet. o Advantages: -• Simplicity and efficiency -• Low cost -• Reduced time (when server crashes, needs to restart or reconfigure cloud) -• No maintenance (public cloud service is hosted off-site) -• No contracts (no long-term commitments) o Disadvantages: -• Security is not guaranteed -• Lack of control (third-party providers are in charge) -• Slow speed (relies on Internet connections, data transfer rate is limited)
Insecure Interfaces and APIs
Insecure interfaces APIs risks: circumvents user defined policies is not credential leak proof breach in logging and monitoring facilities unknown API dependencies reusable passwords/tokens insufficient input-data validation
Cryptanalysis Attacks
Insecure or obsolete encryption makes cloud services susceptible to cryptanalysis. Data present in the cloud may be encrypted for the prevention from being read if accessed by malicious users. However, critical flaws in cryptographic algorithm implementations (e.g.: weak random number generation) might turn strong encryption to weak or broken, also there exist novel methods to break the cryptography.
Hybrid Cloud
It is a cloud environment comprised of two or more clouds (private, public, or community) that remain unique entities but bound together for offering the benefits of multiple deployment models. o Advantages: -• More scalable (contains both public and private clouds) -• Offers both secure resources and scalable public resources -• High level of security (comprises private cloud) -• Allows to reduce and manage the cost as per the requirement o Disadvantages: -• Communication at the network level may be conflicted as it uses both public and private clouds -• Difficult to achieve data compliance -• Organization has to rely on the internal IT infrastructure for support to handle any outages (maintain redundancy across data centers to overcome) -• Complex Service Level Agreements (SLAs)
Community Cloud
It is a multi-tenant infrastructure shared among organizations from a specific with common computing concerns such as security, compliance, performance requirements, and jurisdiction. can be either on-premises or off-premises and governed by the participated organizations or by a third-party managed service provider o Advantages: -• Less expensive compared to the private cloud -• Flexibility to meet the community's needs -• Compliance with legal regulations -• High scalability -• Organizations can share a pool of resources and from anywhere via Internet o Disadvantages: -• Competition between consumers in usage of resources -• No accurate prediction of required resources -• Who is the legal entity in case of liability? -• Moderate security (other tenants may be able to access data) -• Trust and security concerns between the tenants
Cloud Pen Testing
Method of actively evaluating the security of a cloud system by simulating an attack from a malicious source. Security posture of cloud should be monitored regularly to determine the presence of vulnerability and the risks they pose. Cloud security is based on the shared responsibility of both cloud provider and the client
Cloud Computing
On-demand delivery of IP capabilities where IT infrastructure and applications are provided to subscribers as a metered service over a network
Cloud Security Tools
Qualys Cloud Platform - end to end IT security solution that provides a continuous, always-on assessment of the global security and compliance posture, with visibility across all IP assets irrespective of where they reside. CloudPassage Halo - cloud server security platform with all the security functions you need to safely deploy servers in public and hybrid clouds. Core CloudInspect - core CloudInspect helps validate when cloud deployment is secure and gives actionable remediation information when it is not secured
Infrastructure-as-a-Service (IaaS)
SYS ADMINS This cloud computing service enables subscribers to use on demand fundamental IT resources such as computing power, virtualization, data storage, network, and so on. Provides virtual machines and other abstracted hardware and operating systems which may the controlled through a service API
Service Hijacking using Network Sniffing
Service Hijacking using this involves interception and monitoring of network traffic sent between two cloud nodes. Unencrypted sensitive data (such as login credentials) during transmission across a network is at higher risk. Attacker uses packet sniffers (e.g., Wireshark, Cain, and Abel) to capture sensitive data such as passwords, session cookies, and other web service-related security configuration such as the UDDI (Universal Description Discovery and Integrity), SOAP (Simple Object Access Protocol), and WSDL (Web Service Description Language) files
Cloud Penetration Testing
Step 1: Check for Lock-in Problems Step 2: Check for Governance Issues Step 3: Check for Compliance Issues Step 4: Check Cloud for Resource Isolation Step 5: Check if Anti-malware Applications are Installed and Updated on Every Device Step 6: Check if CSP has installed Firewalls at Every Network Entry Points Step 7: Check if the provider has deployed Strong Authentication for Every Remote User Step 8: Check whether the Provider Encrypts Files Transferred to/from Cloud Servers Sep 9: Check whether Files Stored on Cloud Servers are Encrypted Step 10: Check the Data Retention Policy of Service Providers Step 11: Check whether All Users Follow Safe Internet Practices Step 12: Perform a Detailed Vulnerability Assessment Step 13: Check Audit and Evidence-Gathering Features in the Cloud Service Step 14: Perform Automated Cloud Security Testing Step 15: Document all the Findings
Virtualization
The ability to run multiple operating systems on a single physical system and share the underlying resources such as a server, a storage device or a network.
Compensating/Corrective Control
These controls are used as an alternative control when the intended controls fail or cannot be used. They do not prevent any attack attempt but try to restore using other means like restoring from backup. Examples include hot site, backup power system, et These controls minimize the consequences of an incident, probably by limiting the damage
Recovery Control
These controls are used in a more serious condition to recover from security violation and restore information and systems to a persistent state. Examples include disaster recovery, business continuity plans, backup systems, etc
Detective Control
These controls detect security violations, and record any intrusion attempts. These controls act when preventive controls fail. Examples include motion detector, alarm systems and sensors, video surveillance, etc.
Preventive Control
These controls prevent security violations and enforce various access control mechanisms. Preventive controls may be physical, administrative, or technical. Examples include door lock, security guard, etc. These controls strengthen the system against incidents, probably by minimizing or eliminating vulnerabilities
Cloud Carrier
They act as an intermediary that provides connectivity and transport services between CSPs and cloud consumers. They provides access to consumers via a network, telecommunication, and other access devices.
Session Hijacking using XSS
This involves injecting malicious code into the website that is subsequently executed by the browser. Using the stolen cookies attacker exploits active computer sessions, thereby gaining unauthorized access to the data.
NIST Recommendations for Cloud Security
o Assess risk posed to client's data, software and infrastructure o Select appropriate deployment model according to needs o Ensure audit procedures are in place for data protection and software isolation o Renew SLAs in case security gaps found between organization's security requirements and cloud provider's standards o Establish appropriate incident detection and reporting mechanisms o Analyze what are the security objectives of organization o Enquire about who is responsible of data privacy and security issues in cloud
Cloud Computing Threats
o Data Breach/Loss o Abuse and Nefarious Use of Cloud services o Insecure Interfaces and APIs o Insufficient Due Diligence o Shared Technology Issues o Unknown Risk Profile o Unsynchronized System Clocks o Inadequate Infrastructure Design and Planning o Conflicts between Client Hardening Proc o Malicious Insiders o Illegal Access to the Cloud o Loss of Business Reputation due to Co-tenant Activiti o Privilege Escalation o Natural Disaster o Hardware Failure o Supply Chain Failure o Modifying Network Traffic o Isolation Failur o Cloud Provider Acquisition o Management Interface Compromise o Network Management Failure o Authentication Attacks o VM-Level Attacks o Lock-in o Licensing Risk o Loss of Governance o Loss of Encryption Key o Risks from Changes of Jurisdiction o Undertaking Malicious Probes or Scan o Theft of Computer Equip o Cloud Service Termination or Failure o Subpoena and E-Discovery o Improper Data Handling and Disposable o Loss/Modification of Backup Data o Compliance Risks o Eonomic Denial of Sustainability (EDoS)
Categories of security control
o Deterrent controls - These controls reduce attacks on the cloud system. Example: Warning sign on the fence or property to inform adverse consequences for potential attackers if they proceed to attack. o Preventive controls - These controls strengthen the system against incidents, probably by minimizing or eliminating vulnerabilities. Example: Strong authentication mechanism to prevent unauthorized use of cloud systems. o Detective controls - These controls detect and react appropriately to the incidents that happen. Example: Employing IDSs, IPSs, etc. helps to detect attacks on cloud systems. o Corrective controls - These controls minimize the consequences of an incident, probably by limiting the damage.
Cloud Computing Benefits
o Economic o Operational o Staffing o Security
Best Practices for Securing Cloud
o Enforce data protection, backup, and retention mechanisms o Enforce SLAs for patching and vulnerability remediation o Vendors should regularly undergo AICPA SAS 70 Type II audits o Verify one's cloud in public domain blacklists o Enforce legal contracts in employee behavior policy o Prohibit user credentials sharing among users, applications, and services o Implement secure authentication, authorization, and auditing mechanisms o Check for data protection at both design and runtime o Implement strong key generation, storage and management, and destruction practices o Monitor the client's traffic for any malicious activities o Prevent unauthorized server access using security checkpoints o Disclose applicable logs and data to customers o Analyze cloud provider security policies and SLAs o Assess security of cloud APIs and also log customer network traffic o Ensure that cloud undergoes regular security checks and updates
Types of Cloud Computing Services
o Infrastructure-as-a-Service (IaaS) o Platform-as-a-Service (Paas) o Software -as-a-Service (SaaS)
Other Cloud Security Tools
o Nessus Enterprise for AWS o Symantec Cloud Workload Protection o Alert Logic o Deep Security o SecludIT o Panda Cloud Office Protection o Data Security Cloud o Cloud Application Control o Intuit Data Protection Services
Characteristics of Cloud Computing
o On-demand self service o Distributed storage o Rapid elasticity o Automated management o Broad network access o Resource pooling o Measured service o Virtualization technology
Characteristics of virtualization in cloud computing technology
o Partitioning -The cloud supports many applications and multiple OSs in a single physical system by segregating the available resources o Isolation -Cloud isolates each virtual machine from its host physical system and other virtual machines, so that if one virtual machine fails it does not have any impact on the others as well as on the data sharing o Encapsulation -A virtual machine can be stored as a single file, and thus it can be identified based on its service. Encapsulation protects each application from interfering with other applications
Types of Machines
o Physical Machine -The architecture of a physical machine consists of CPU, memory, NIC, disk, OS, etc. It consumes the complete existing physical resources. o Virtual Machine -A machine that sits on the standard physical resources. These machine have an advantage over physical machine since many OSs, memory allocation, etc. is possible over the existing physical resource. Virtual machines are used effectively in cloud computing environments.
Three Phases of Cloud Pentesting
o Preparation: It consists in signing formal agreements to ensure the protection of both parties (Cloud Service Provider [CSP] and client). It defines the policy and course of action the CSP and client should take in finding potential vulnerabilities and their mitigation. Pen testing also considers other users who might be using the same infrastructure under testing. o Execution: It involves executing the cloud pen-testing plan to find out potential vulnerabilities, if any, existing in the cloud. o Delivery: Once cloud pen testing is complete, document all the exploits/vulnerabilities, and hand over the document to the provider to take necessary action.
Types of Physical Security Control
o Preventive Control o Detective Control o Deterrent Control o Recovery Control o Compensating/Corrective Control
Cloud Deployment Models
o Public Cloud - rendered over network that is open for public use o Private Cloud - operates solely for a single organization o Community Cloud - shared infrastructure between several organizations from a specific community with common concerns o Hybrid Cloud - composition of two or more clouds that remain unique entities but are bound together, offering the benefits of multiple deployment models
Cloud Computing Attacks
o Service Hijacking using Social Engineering Attacks o Service Hijacking using Network Sniffing o Session Hijacking using XSS o Session Hijacking using Session Riding o Domain Name System Attacks o Side Channel Attacks or Cross-guest VM Breaches o SQL Injection Attacks o Cryptanalysis Attacks o Wrapping Attack o DoS and DDoS Attacks o Man in the Cloud attack
Types of virtualization
o Storage Virtualization It combines storage devices from multiple networks into a single storage device and helps in: -• Expanding the storage capacity -• Making changes to store configuration easy o Network Virtualization It combines all network resources, both hardware, and software into a single virtual network and is used to: -• Optimize reliability and security -• Improves network resource usage o Server Virtualization It splits a physical server into multiple smaller virtual servers. Storage utilization is used to: -• Increase the space utilization -• Reduces the hardware maintenance cost